[lug] outgoing port 220 exploit?

D. Stimits stimits at comcast.net
Tue Jan 20 14:42:19 MST 2004 

Kevin Fenzi wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> >>>>>"D" == D Stimits  writes:
>
>
> D> David Anselmi wrote:
>
> >>Every 5 seconds:
> >>
> >>lsof -i4tcp:220
> >>
> >>Dave
>
>
> D> I've tried lsof and netstat with -c, none show it. A failed connect
> D> takes all of about 50 milliseconds, so I'd have to hit it in that
> D> time. Anything taking a "snapshot", and not reading 100% of
> D> anything using the port 6129, or attempting outgoing 220, will
> D> fail. Due to firewall rules, even tcpdump will not work, as blocked
> D> packets do not get recorded.
>
> What do your incoming rules say about port 6129?


All incoming to port 6129 are now blocked, but 6129 is the port on the 
local machine during outgoing. All source ports 6129, no matter where, 
are logged and blocked. All destination ports 220, no matter where, are 
logged and blocked. Both locally and via the bridge.

>
> I suspect this is someone scanning for a windows 'DameWare' server
> thats vulnerable to attack:

See this is the part that does not match that makes it look like a 
compromise...port 6129 is not being blocked, it is the source. 
Destination is 220 imap. I've checked for root kits and all kinds of 
files, I do plan to reinstall one machine, but there are 3 separate KRUD 
machines with 3 separate major versions that all do this. They do not 
correspond to cron times, though they are on a regular basis. Domains 
and ip's are not predictable, so I can't do something like a loopback 
intercept to then allow it to try the exploit to see what it does.

Port 6129 and 220 are both blocked and neither has anything listening on 
the port, I have tried from both inside the local domain and outside.

>
> http://archives.neohapsis.com/archives/incidents/2002-08/0097.html
>
> The packet comes in to port 6129 on your machines, and they have setup
> their incoming packet so the reply goes back to port 220 on the
> sending machine (in this case it should be a connection refused,
> unless you are running DameWare).

I have not tracked the packing coming in, only attempting to go out. 
This is the mystery that makes it look like a compromise (though 
everything I checked says it isn't compromised), that I can't find it. 
But if it is a packet coming in and then the incoming ceases, things 
like lsof and netstat won't see it, they are too slow. I am thinking of 
writing a program to bind 6129 and see what happens.

>
> You are using ipchains, which is not a statefull packet filter, so you
> are likely allowing all non privleged ports in, ie, 1024:65535...
> so they would be able to get a 6129 packet in?

Some of the ports above 1023 are open via firewall, but not running 
services, on only 1 machine. The other 2 machines use iptables and the 
same thing is happening.

>
> Does:
>
> fuser -n tcp 6129


This shows nothing, as does lsof and netstat and tcpdump. FYI, I 
forcibly replaced some of the relative testing tools just in case.

>
>
> show anything on your machines?

Nothing. I need to find the incoming, or verify a process. I fear I have 
to open the firewall outbound to have it run long enough to catch it, 
perhaps 5 seconds.

I wish I knew of some exploit that breaks port 220, then I could 
investigate to see if that particular exploit was on my machine. But it 
looks like a relay at this point rather than compromise. I don't know 
for sure so I can't stop looking.

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list